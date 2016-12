© Stefan Wermuth / Reuters

A modification to mobile banking app Faketoken can encrypt user data to extort a ransom from the user, according to experts at Kaspersky Lab.The mobile banking trojan, referred to as a modification of Trojan-Banker.AndroidOS. Faketoken by Kaspsersky senior malware analyst Roman Unuchek, is distributed "under the guise of various programs and games, often imitating Adobe Flash Player," according to the cybersecurity firm.Unuchek went on to say that the trojan is capable of interacting with operating system protection mechanisms. For instance, it requests rights to overlay other apps or the right to be a default SMS application."This allows Faketoken to steal user data even in the latest versions of Android," according to Unuchek.From there, Faketoken starts requesting permissions including access to the user's text messages, files, and contacts, as well as the ability to send text messages and make calls. Once again, those requests are repeatedly displayed until the user finally agrees to provide access.It also requests the ability to display windows on top of other applications, which is necessary to block the device and steal user data by displaying phishing pages.The final request is for the right to be the default SMS application, allowing Faketoken to secretly steal text messages on the latest versions of Android.Once the "preparatory stage" is over, the trojan begins stealing user data. It downloads a database from the server containing phrases in 77 languages for different device localizations.Using a phrase from the database, depending on the language of the user, the trojan will display various phishing messages. If a message is clicked, the trojan opens a phishing page aimed at stealing passwords from Gmail accounts. It also overlays the original Gmail app with one appearing to have the same purpose."The trojan can also get the list of applications for attack and an HTML template page to generate phishing pages for the attacked applications from the C&C server. In our case, Faketoken received a list of 2,249 financial applications from around the world," Unuchek wrote.Once a relevant command is received, the trojan creates a list of files located on the device - including the external memory and memory card and encrypts them. The trojan receives the encryption key and initialization vector from the command and control (C&C) server."The AES symmetric encryption algorithm is used, which leaves the user with a chance of decrypting files without paying a ransom," Unuchek noted.